CVE-2024-49832
Published: 03 February 2025
Summary
CVE-2024-49832 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Qualcomm Fastconnect 6900 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs such as the number of nodes passed to the AXI port to prevent improper array index validation leading to memory corruption.
Implements memory protections that comprehensively mitigate memory corruption exploits resulting from invalid array indices in the Camera component.
Mandates identification, reporting, and correction of flaws like this memory corruption vulnerability through timely patching as detailed in Qualcomm's security bulletin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (array index validation failure) with low-priv access and high CIA impact directly enables local privilege escalation via exploitation.
NVD Description
Memory corruption in Camera due to unusually high number of nodes passed to AXI port.
Deeper analysisAI
CVE-2024-49832 is a memory corruption vulnerability in the Camera component, caused by an unusually high number of nodes passed to the AXI port. It is associated with CWE-129 (Improper Validation of Array Index) and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-02-03.
A local attacker with low privileges can exploit this issue through low-complexity attacks requiring no user interaction. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service.
Qualcomm's February 2025 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html, details affected products and recommended mitigations or patches.
Details
- CWE(s)